Generate RSA Key

This selection initiates RSA key generation at the workstation. The generated RSA key is protected with a previously generated DES IMP-PKA or AES IMPORTER key, and the encrypted RSA key is saved in a file.

Notes:

RSA keys can also be generated and saved in the host PKDS using ICSF panels and services (CSNDPKG for generate, and CSNDKRC or CSNDKRW to write to the host PKDS.) For more information, see z/OS Cryptographic Services ICSF Application Programmer's Guide.
An RSA key with a length of 1024 or less can be wrapped with a DES IMP-PKA or AES IMPORTER key.
An RSA key with a length greater than 1024 must be wrapped with an AES IMPORTER key.

From the Domain Keys page, right-click RSA key in the Key Types container and select Generate. The Generate RSA Key window opens.

Figure 1. Generate RSA Key

In the Generate RSA key window, specify the following information:

RSA key usage control: Specifies whether or not the RSA key can be used for key management purposes (encryption of DES keys). All RSA keys can be used for signature generation and verification.
Key length: Length of the modulus of the RSA key in bits. For RSA keys protected by a DES EXPORTER key, any length between 512 and 1024 is allowed. For RSA keys protected by an AES EXPORTER key, any length between 512 and 1024, and lengths of 2048 and 4096 are allowed. When a length of 2048 or 4096 is selected, the AES EXPORTER key should be at least 24 bytes long. If not, a message is displayed.
Public exponent: Value of the public exponent of the RSA key.
PKDS key label: Label to be given the imported RSA key at the host. The information provided in this field can be changed when you load the RSA key to the host.
Private key name: Text string that is included in the RSA key token and cryptographically related to the key. The private key name can be used for access control for the key. The information you entered in the PKDS key label field is copied to this field and can be edited.
Description: Optional free text that is saved with the RSA key and displayed when you retrieve the key.
Workstation DES EXPORTER keys: This container displays the labels of the DES EXPORTER keys currently in TKE workstation DES key storage that can be used to protect RSA keys generated at the TKE workstation. When these keys were loaded into TKE DES key storage, key usage of "for RSA key generation" was specified. To select one of these keys, click Workstation DES EXPORTER keys and select a key label.
Workstation AES EXPORTER keys: This container displays the labels of the AES EXPORTER keys currently in TKE workstation AES key storage that can be used to protect RSA keys generated at the TKE workstation. Only keys with set attributes including "Key can be used for IMPORT", "Key can be used for GENERATE-PUB", and "Key can wrap RSA keys" are listed. To select one of these keys, click Workstation AES EXPORTER keys and select a key label.
Host CKDS key label: The CKDS key label at the host used to import the RSA key. The selected workstation DES EXPORTER or AES EXPORTER key label is copied to this field and can be edited. This information can be changed when you load the RSA key to the host.

When the key is generated, a window opens that prompts the user to specify the file location (USB flash memory drive or TKE Data Directory) and file name for saving the generated RSA key.

Attention : Do not remove a USB flash memory drive from the USB port before you complete the operation that is using the drive, or before you respond to a message related to the operation that is using the drive. If you do remove a drive before the operation is complete, hardware messages might be generated on the TKE workstation.